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CPRA Changes that Most Impact Adtech 
e When do I need to comply 
« What limitations apply to service providers 
« What goes in a Notice at Collection 
e What's a Sale and/or/vs. Share 
e Opt-out signal compliance 


e Future developments and timelines 
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When do I need to comply? 


“Civil and administrative enforcement of the provisions of law 
added or amended by this act shall not commence until July 1, 


2023, and shall only apply to violations occurring on or after that 
date.” (Cal. Civ. Code § 1798.185(d)) 


e 1/1/2023: CPRA statutory provisions are operative 
o Parts of CCPA not amended by CPRA are effective 
o CCPA provisions and regulations amended by CPRA 
continue to apply leading up to 7/1 


e 7/1/2023 
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Service Providers 


e CCPA requirements for service providers: 
o Written contract governing business purpose(s) 
o No selling by SP 
o Retain/use/disclose only to provide service in contract 
o Do not retain/use/disclose outside of SP-business 
relationship 
e Key changes under CPRA and regs (section 7051) 
o No combination of PI from multiple businesses 
o CCBA + business purpose 
o Audit, remediation rights in contracts 
o Due diligence requirements Kelley 


å Drye 


Service Provider Limitations: 
Adtech Impacts 


e Limits due to CCBA exclusion from business purpose 
o Service providers cannot target based on a consumer's 
activity across businesses or distinctly branded sites, 
apps, services 
o Likely covers interest-based targeting, retargeting, 
segment creation 
e Limits on prohibition on combination 
o Measurement 
o Frequency capping 
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Notice at Collection first starts with 
Purpose Limitations (7002) 


PI collection/use =reasonable expectations and 
responsibly proportionate (similar to GDPR legitimate 
interest balancing test) 

Disclosure specificity, explicitness, prominence, 
and clarity re: purposes are relevant 

Is it clear to the consumer that others are involved in 
PI collection/processing 

Business cannot collect PI categories if not disclosed 
in the N@C 
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Notice at Collection in Detail (7012) 


e Timely notice at/before PI collected that includes: 


e PI categories (including if sensitive PI) 

e Collection/use/disclosure purposes, and if 
sold/shared 

e Retention period or criteria for retention 

e Links to DNS/SH and Privacy Policy Link 

e Not opt in if Notice at Collection meets this objective 


e NGC link can be standalone page or deep link to 


particular section in privacy policy (no scrolling to 


_ find) "rd, 


Notice at Collection in Detail (7012) 


e Latest version of regulations softened "Third Parties 
that Control” requirements 


More than one business may control the collection of a consumer's 
personal information and have an obligation to provide N@C. 


e 1P may allow a 3P to control the collection of PI from consumers 
browsing the 1P's website. 


e Both 1P & 3P must provide a N@C but can be a single N@C that 
includes required information. 


e Norequirement to disclose 3Ps names 
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N@C Takeaways 


e Robust obligations for effective disclosures — content 
and presentation 

e |f disclosure obligations are met, PI collection and use 
is opt out 

e |f disclosure obligations are not met, PI collection and 
use IS opt in 

e Underscores publisher compliance and adtech 
companies’ own compliance 
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What might a N@C look like? 


e Before 7/1/23: likely to continue to see CCPA-style 
N@Cs 
e Leading up to/after 7/1/23: 
e More dedicated N@C links on homepages (or deep links 
to entire lengthy section in privacy policy) 
e Perhaps served in cookie banners 
e Contracts requiring parties to provide certain 
disclosures 
e Perhaps industry standard N@C 
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Sale vs. Share 


e “Sale” =any transfer of PI to 3P for monetary or other 
valuable consideration (example: analytics) 


e “Share” =transfer of PI to 3P for CCBA even if no 
consideration (CCPA =interest based advertising) 


e Definitionally “service provider” cannot offer CCBA 
(and 3P is anyone not a SP or business with which 
consumer intentionally interacts) 

e Regulator likely position: “share” =subset of “sale” 

o No examples of “Do Not Share” without “Do Not Sell 
or Share” in CPRA/regs 
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Opt Out Preference Signals (GPC - 
7025) 


What does updated 7025(c) require? 


When a business that collects personal information from 
consumers online receives or detects an opt-out preference 
Signal ..: (1) The business shall treat the opt-out 
preference signal as a valid request to opt-out of 

sale/ sharing... for that browser or device and any 
consumer profile associated with that browser or device, 
including pseudonymous profiles, and, if known, the 
business shall also treat the opt-out preference signal as a 
valid request to opt-out of sale/sharing for the consumer. 


*This language suggests cross-device/ compliance 


identity resolution may be a requirement to ap 
persistently, but... Kelley 


Opt Out Preference Signals (see 
also CPRA 1798.145(j)) 


(j) This title shall not be construed to require a business, service 
provider, or contractor to: 


(1) Reidentify or otherwise link information that, in the 
ordinary course of business, is not maintained in a manner that 
would be considered personal information. 


(2) Retain any personal information about a consumer if, in the 
ordinary course of business, that information about the consumer 
would not be retained. 


(3) Maintain information tn identifiable, linkable, or 
associable form, or collect, obtain, retain, or access any data 
or technology, in order to be capable of linking or associating 
a verifiable consumer request with personal informationjey 
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Flow-Down of Consumer Requests 


e Businesses must pass through consumer requests: 
o Opt out of sale/sharing 
o Limit use/disclosure of SPI 
o Deletion (3d parties and service providers) 
e Open question: How will flow-down work when 
businesses have different pseudonyms for the same 
consumer/device? 
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Contracts 


e Service Provider Addenda 
o entities continue to update terms 
o publicly posted terms will be valuable for 
benchmarking 
e Service Provider Due Diligence 
o contract terms to include ability to assess compliance, 
including through audits 
o may not be sufficient to rely exclusively on terms 
o Standards evolving and NAI’s role is important 
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What's to Come? What Hasn't the 
CPPA Addressed Yet? 


e Draft regs do not address all of CERA 
o will miss deadline to adopt regulations for "access and 
opt-out rights” regarding businesses' use of 
automated decision-making technology 
o no detail regarding required annual cybersecurity 
audits or regular privacy risk assessments for 
businesses where significant risk to privacy or security 
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Compliance Priorities and Timeline 


December 2022 Q1-Q2 2023 Q3-Q4 2023 


e review privacy policy Q1-Q2 2023 Q3-Q4 2023 
for facial compliance e assure compliance with e [text] 


and UDAP notice at collection 
e update contract terms e update DNSMPI links 
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